Certificate Chains

A certificate chain is a series of certificates
issued by successive CA certificates, eventually ending in a root CA certificate.

Web browsers are preconfigured with a set of root CA certificates that
the browser automatically trusts. Any certificates from elsewhere must come
with a certificate chain to verify their validity.

When a certificate is first generated, it is a self-signed certificate.
A self-signed certificate is one for which the issuer (signer) is the same
as the subject (the entity whose public key is being authenticated by the
certificate). When the owner sends a certificate signing request (CSR) to
a CA, then imports the response, the self-signed certificate is replaced by
a chain of certificates. At the bottom of the chain is the certificate (reply)
issued by the CA authenticating the subject's public key. The next certificate
in the chain is one that authenticates the CA's public key. Usually, this
is a self-signed certificate (that is, a certificate from the CA authenticating
its own public key) and the last certificate in the chain.

In other cases, the CA can return a chain of certificates. In this situation,
the bottom certificate in the chain is the same (a certificate signed by the
CA, authenticating the public key of the key entry), but the second certificate
in the chain is a certificate signed by a different CA, authenticating the
public key of the CA to which you sent the CSR. Then, the next certificate
in the chain is a certificate authenticating the second CA's key, and so on,
until a self-signed root certificate is reached. Each
certificate in the chain (after the first) thus authenticates the public key
of the signer of the previous certificate in the chain.